REFERENCE LINKS:

IMPACT ASSESSMENT:

High

Discussion:

This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.

Impact:

The vulnerability is caused due to an assertion failure when processing RRSIG queries if the Response Policy Zones (RPZ) mechanism is used for RRset replacement, which can be exploited to terminate the server via RRSIG queries.

Solution:

Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.